1

In my application I want to use Rabin crypto system with short keys (like 128 bits) and MD5 for hashing. I found that schema like PKCS1-V1_5 or PPS does not allow you to have such small keys and result signature is like 64 bytes for 512 bit key.

I need to sign small amount of data like 30-50 bytes and having 64 bytes signature is noticeable overhead. I tried BLS (48 bytes for signature) but it is too slow compared to Rabin.

My idea is to use MD5 because it needs only 128 bits and short key with same size to avoid padding. So in this case I don't need schema. Also this should give me 20 bytes for each signature. I realise that this is very weak signature but data (packet) lifetime will be short.

Will such approach work?

John Tracid
  • 111
  • 1

1 Answers1

2

In principle what you describe seems to be a full domain hash (FDH) scheme, which is known to be secure for RSA.

Furthermore, you'd be choosing the wrong hash as you generally need a collision free hash to create signatures (although a mere enhanced target collision resistance, eTCR may suffice for specific randomized schemes, see this answer more information).

However, with 128 bits signatures the private key will be known in seconds - if that. So in the end it doesn't matter if the hashing alone is secure or not. For larger key sizes it can definitely be made secure using a different PRF, e.g. SHAKE128.

If you can establish a secret key then a 128 bit MAC would be very secure. So maybe you need to offer up two messages in either direction to perform ECDH instead, to derive some MAC session key.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323